Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

You may be redirected to the forms authentication logon page, or you may receive an error message when you try to run an application that is built by using the .NET Framework 2.0

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 917412 - Last Review: December 3, 2007 - Revision: 1.5

You may be redirected to the forms authentication logon page, or you may receive an error message when you try to run an application that is built by using the .NET Framework 2.0

View products that this article applies to.

SYMPTOMS

When you try to run an application that is built by using the Microsoft .NET Framework 2.0, you may be redirected to the forms authentication logon page. Alternatively, you may receive an error message that resembles the following:
Server Error in '/WebSites1' Application.
--------------------------------------------------------------------------------

Object reference not set to an instance of an object.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Note You may experience other problems that are caused by session loss.

This problem may occur when one or both of the following conditions are true:
  • You migrate a Web application from the .NET Framework 1.1 to the .NET Framework 2.0.
  • You use a script, a Java applet, or a Microsoft ActiveX control on the client side to perform a request in a Web application.
Back to the top

CAUSE

This problem occurs because the HttpOnly attribute prevents any client script from accessing the session cookie. The HttpOnly attribute is added to the session cookie in the .NET Framework 2.0.
Back to the top

RESOLUTION

To resolve this problem, set the HttpOnly attribute for the session cookie to the false value.

Note Setting the HttpOnly attribute to the true value does not prevent a malicious user from accessing the cookie directly when the malicious user has access to the network channel. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important. A malicious user may use an open browser window or a computer that contains persistent cookies to access a Web site by using a legitimate user's identity.

To set the HttpOnly attribute to the false value, replace the Session_Start method in the Global.asax file by using the following code. 
   void Session_Start(object sender, EventArgs e)
        {
            if (Response.Cookies.Count > 0)
            {
                foreach (string s in Response.Cookies.AllKeys)
                {
                    if (s == System.Web.Security.FormsAuthentication.FormsCookieName || s.ToLower() == "asp.net_sessionid")
                    {
                        Response.Cookies[s].HttpOnly = false;
                    }
                }
            }
        }
Note If you want to reuse this code in multiple applications, put this code in a custom HttpModule class.
Back to the top

MORE INFORMATION

For more information about the HttpOnly attribute, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx (http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx)
For more information about the HttpModule class, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/library/zec9k340(vs.71).aspx (http://msdn2.microsoft.com/en-us/library/zec9k340(vs.71).aspx)
For more information about breaking changes in the .NET Framework 2.0 and in the HttpOnly attribute, visit the following MSDN Web site:
http://msdn2.microsoft.com/en-us/netframework/aa497240.aspx (http://msdn2.microsoft.com/en-us/netframework/aa497240.aspx)
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Back to the top
APPLIES TO
  • Microsoft .NET Framework 2.0
  • Microsoft ASP.NET 2.0
Back to the top
Keywords: 
kbprb kbbug kbinfo kbnofix kbtshoot KB917412
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting